Sorry, I'm new to php and I'm just wondering are Cookies during sessions terminated after the session ends and if yes, why ?
Thankyou.
While a session is supposed to terminate when the user leaves the website, the cookie is meant to store data for the next visit as well. So, no you should not terminate a cookie.
This is not only the case for PHP, it's just what cookies are for:
An HTTP cookie, is a small piece of data sent from a website and stored in a user's web browser while the user is browsing that website. Every time the user loads the website, the browser sends the cookie back to the server to notify the website of the user's previous activity. Cookies were designed to be a reliable mechanism for websites to remember stateful information. - Wikipedia
Related
I have an existing webapp in php and js and I am trying to add authentication to it. I have figured out the part on how to create a login page and authenticate against my organisation's LDAP server where multiple users have their accounts created.
My question is about the $_SESSION variable being same for all users who visit.
If a user visits the page and I set
$_SESSION["username"]="xyz";
$_SESSION["logged_in"]=true;
and then if another user logs in, will the $_SESSION variable be totally new for him or will the keys like "username" and "logged_in" be set with the previous user's data?
If not, then how does PHP or the httpd webserver know whether the tab is closed or a new request has come in?
If I open multiple tabs in the browser (or multiple browser windows) will it all have the same $_SESSION variable in the backend?
Basically I have questions about the lifecycle of the $_SESSION variable.
When the server receives a HTTP request, a Session ID is generated by the server and is sent back to the browser. The browser stores the Session ID in a cookie so it can re-use it. The ID forms the link between the browser and server, so that the server can identify subsequent requests as coming from the same browser.
The browser then sends that Session ID to the server (in a HTTP header) in every request the browser makes to the same server. PHP uses that ID to find the right session data for that ID in its storage. The actual session data is private and never leaves the server. Only the ID goes to the browser.
All of this means it's impossible for two users to share the same session data, because each session ID is unique. (It would technically be possible to steal another user's session ID if they were using an insecure HTTP-only connection to the server and you were able to monitor their network traffic, or even with HTTPS using a man-in-the-middle attack, but that's a whole other topic.)
If you close the browser, the session cookie is destroyed, by default. Therefore when you re-open the browser and go back to the same website, it will send a request without a session ID and will be given a new session ID by the server.
The other thing that would cause a new session to occur is if the session times out on the server. The server will have a session timeout value. It records what time a session was started and when the last request was made using that session ID. If no requests occur using a given session ID for timeout minutes after the last one, then the session ID will be destroyed and the browser will be given a new session ID next time a request occurs, regardless of whether it sent the previous one or not. This is usually why you find you're logged out of a website if you don't use it for a few minutes.
This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
PHP session or cookie
We are developing a new project where we want to keep track of some information regarding the user from page to page, in terms of security, reliability and server usage is it better to do so with sessions or with cookies? What are the ups and downs of using one method or another.
For example to keep track if the user has successfully logged in or not, or to keep track of the language that the user selected.
Basically we want to know how to decide if we should use cookies or sessions, obviously if we want to keep track of data occurring within different visits to the page in different occasions and even different days the answer would be to use a cookie, but what about keeping track within the navigation of the page without closing the browser.
Thanks
A cookie is a small piece of text that is sent by the server to the client in the HTTP response headers. The client will store it locally and return it back to the server with every request in the request headers. That allows the implementation of some state in the otherwise stateless HTTP protocol.
A session is a concept typically implemented on top of cookies. The server sends a meaningless, unique session token (a random id) as a cookie to the client and the client returns it on every request. Server-side this id is associated with some data. Every time a client sends its session token back to the server in a request, the server looks up the data associated with that token.
The transfer of the session id back and forth between the client and the server can also happen by embedding the session id into all URLs or form requests, it doesn't have to be cookies. Embedding session ids in the URL is a bad idea though, since that allows accidental session transfers if URLs are shared between different users (see below). These days sessions are typically implemented using cookies client-side.
Conceptually cookies and sessions are extremely similar, they both implement state in HTTP. The difference is that a cookie can only store a small amount of data which is transferred back and forth on every request and is editable by the user (because it's information stored on the client); while a session stores all data server-side and is thereby only limited by the server's resources. The only vulnerability sessions have is that if a user can guess or steal the session id of another user, he can impersonate that user. That's known as session hijacking. Plain cookies have no security whatsoever and should not be used for anything important (as in, the user can see and edit the contents, so storing userloggedin=yes in a cookie is the worst thing you can do).
I wonder if cookies are the same as session cookies?
A cookie is a cookie.
"Session cookie" can refer to one of two things:
A cookie with unspecified timeout, which will be discarded as soon as the browser is closed. I.e. the browser will only retain it for the current "browsing session."
A cookie containing a session id.
Sometimes it means both. It's not a very well defined term.
As such, the correct description would be session cookie ⊆ cookie,
instead of session cookie = cookie. ;o)
All session cookies are cookies, but not all cookies are session cookies.
Session cookies are cookies whose only purpose is to maintain session state in your site. They typically disappear the moment you close your browser, whereas other cookies that contain some other data tend to persist across sessions.
I wonder if cookies are the same as session cookies?
No. There are different types of cookies.
Session cookies usually used for tracking sessions. They are deleted by a browser when you close it.
Persistent cookies saved on your hard drive. Persistent cookies expire (deleted by browser) when expiry date is reached.
First party cookies are set/retrieved by a website which you actually visit.
Third party cookies are set/retrieved by a different domain. Usually used for advertising and info sharing between websites.
There are also HTTP Only, Secure, and zombie cookies.
The main difference between cookies and sessions is that cookies are stored in the user's browser, and sessions are not. This difference determines what each is best used for.
A cookie can keep information in the user's browser until deleted. If a person has a login and password, this can be set as a cookie in their browser so they do not have to re-login to your website every time they visit. You can store almost anything in a browser cookie. The trouble is that a user can block cookies or delete them at any time. If, for example, your website's shopping cart utilized cookies, and a person had their browser set to block them, then they could not shop at your website.
Sessions are not reliant on the user allowing a cookie. They work instead like a token allowing access and passing information while the user has their browser open. The problem with sessions is that when you close your browser you also lose the session. So, if you had a site requiring a login, this couldn't be saved as a session like it could as a cookie, and the user would be forced to re-login every time they visit.
You can of course get the best of both worlds! Once you know what each does, you can use a combination of cookies and sessions to make your site work exactly the way you want it to.
Is PHP sessions the same as cookies? I ask this because I'm writing a privacy policy and the site uses PHP sessions, MySQL, JQuery and CSS. If Session are not the same should I change or leave the cookies name?
Here is what I have so far.
Cookies - The Website uses "cookies," a technology that stores a small amount of information on a user's computer to permit the Website to recognize future visits using that computer. Cookies enhance the convenience and use of the Website. For example, the information provided through cookies is used to recognize you as a previous user of the Website (so you do not have to enter your personal information every time), offer personalized content and information for your use and otherwise facilitate your Website experience.
PHP sessions are stored, by default, in a temp directory on the webserver. The session id is stored in a cookie called PHPSESSID. By default, these are not tracking cookies and don't have to be persistent (e.g. they expire whenever you close your browser). So they are safe to use even in websites that have enforced privacy regs.
For instance, I worked for a major branch of the U.S. military and we used _SESSION's all the time, despite the U.S. government forbidding a great many types of cookies.
To make a session cookie non-persistent:
// Make the session cookie last for 24 hours.
ini_set('session.cookie_lifetime', 86400);
Sessions are stored in the server, and after an previusly set ammount of time, it dies, or in other words, its deleted. Sessions do not need permission from the user to create, as a matter of fact, php initializes a session for each new web request that arrives from an ip to the server.
Cookies, on the other hand, are data stored in the browser's data folder, and every user needs to authorize the site to use them, and of course, they are not shared, meaning that IE and Firefox cannot share a cookie.
An example would be to login in this site and next time you point your browser it will remember your credentials, but if you try to open it with IE, it won't know who you are, hence the fact that they don't share data.
Hope it helps
Best of luck!
I am in need of session variable must be exist even after browser closed or system shutdown.
But in my page it will not support session scope between browsers that is at first i signin with firefox while i login with chrome browser it comes to login page . Why these happen . Please any body help me to solve this problem.
Thanks and Regards,
Alagar Pandi.P
alagar.pandi#gmail.com
Session scope between browsers is not possible. Sessions are identified by a token, which must first be given to the user, and then passed back later by the browser in some form. Generally this is done with cookies, although it can also be done by appending the token to URLs as the visitor browses around the site.
Since web browsers are separate pieces of software with their own methods of handling cookies, you cannot share cookies between browsers, and therefore you cannot share cookie-based sessions. It is possible to copy-and-paste a URL from a web site that contains a session token into another browser and continue the session there, but most sites use cookies, so this is not often possible, and it certainly doesn't accomplish what you would like to do.
What you ask is generally considered impossible, but also usually not an issue. On the plus side, it is also a process generally understood by most users. Users do not expect to log in to a site with one browser, and then boot up another and still be logged in.
session expiry between browser and
after browser or system shutdown ?
Neither after browser close nor system shutdown
Session is expired when its get timeout on server side, and it depends on each web server settings, for example, after 20 mintues.
Cookies are the only way to track users. They can either be persistent or not. If a cookie is persistent it is stored in the user's computer as a file and has an expiration date but only the browser that created it will be able to access it again. There's no way to achieve cross-browser cookies.
Then you should use. Client side cookies rather than session variables.
Session exists only until the browser close or system shutdown.
If you still want to proceed with session variable, then store the session value in the DB and whenever the login page loads check the db if the user hasn't signed out manually, if yes then show him main page otherwise show hime the login page.